web security
play

Web Security HTTPS Certificates Summary ITS335: IT Security - PowerPoint PPT Presentation

Apr 16, 2023 •126 likes •446 views

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09,

  1. ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09, Steve/Courses/2013/s2/its335/lectures/websecurity.tex, r3104 1/31

  2. ITS335 Contents Web Security Browsing Web Browsing Applications HTTPS Certificates Web Applications Summary Confidential Web Communications with HTTPS Digital Certificates Summary 2/31

  3. ITS335 Web Browsing with HTTP Web Security Browsing Applications HTTPS Certificates Summary 3/31

  4. ITS335 Web Browsing with HTTP Web Security Browsing Applications HTTPS Certificates Summary 4/31

  5. ITS335 Web Access with Hypertext Transfer Protocol Web Security ◮ HTTP is a request/response protocol for web browsing Browsing ◮ HTTP is stateless; no dependence between a request Applications and previous request HTTPS ◮ User Agent (client) sends HTTP Request message Certificates Summary ◮ Server responds with HTTP Response message ◮ Default server port number: 80 ◮ Generic HTTP message format: Start line Optional header lines <empty line> Optional message body ◮ Start line differs for request and response ◮ Header format: field-name: value 5/31

  6. ITS335 HTTP Example Web Security Browsing Applications HTTPS Certificates Summary 6/31

  7. ITS335 HTTP Request Messages Web Security ◮ Start line: Method URL Version Browsing ◮ Methods: Applications ◮ GET: retrieve the resource at the specific URL HTTPS ◮ HEAD: same as GET, except do not return message Certificates body (only header) Summary ◮ OPTIONS: retrieve options available for resource or server ◮ POST: asks server to accept and process the attached data at the resource ◮ . . . ◮ Version: version of HTTP, e.g. HTTP/1.0, HTTP/1.1 7/31

  8. ITS335 HTTP Response Messages Web Security ◮ Start line: Version StatusCode StatusReason Browsing ◮ Status Codes and Reasons: Applications ◮ 100: Continue (the client should continue with its HTTPS request) Certificates ◮ 200: OK (the request succeeded) Summary ◮ 301: Moved Permanently (the requested resource has a new URL) ◮ 304: Not Modified (resource hasnt changed since last request, client should use cached copy) ◮ 401: Unauthorized (request must include user authentication) ◮ 403: Forbidden (request was understood, but server refuses to process it) ◮ 404: Not Found (server cannot find resource at requested URL) ◮ 503: Service Unavailable (server currently unable to handle request, e.g. server is too busy) 8/31

  9. ITS335 HTTP Headers Web Security ◮ Date: data and time of message generation Browsing ◮ Host: domain name of host of resource (means relative Applications URLs can be used) HTTPS ◮ Accept-Charset, Accept-Encoding, Accept-Language: Certificates indicate the character sets, encodings and languages Summary that client can accept ◮ Authorization: include user credentials (e.g. username, password) if authorization is required ◮ User-Agent: indicates information about the client (user agent), e.g. web browser ◮ Referrer: URL from which this request came from ◮ Content-Encoding: encoding or compression, e.g. gzip ◮ Content-Length: length of message body on bytes ◮ Content-Type: the type of content in message body ◮ Last-Modified: indicates data/time when content was last modified on server 9/31

  10. ITS335 Contents Web Security Browsing Web Browsing Applications HTTPS Certificates Web Applications Summary Confidential Web Communications with HTTPS Digital Certificates Summary 10/31

  11. ITS335 Web Applications Web Security ◮ Plain, static web pages: HTML, images and other files Browsing served to browser Applications ◮ But many applications use dynamic content HTTPS ◮ Content server to browse changes depending on request Certificates ◮ Provides interactive, tailored content Summary ◮ Client-side: JavaScript, Flash, Silverlight, Java ◮ Server-side: CGI, ASP, PHP, Coldfusion, Java, . . . ◮ Content stored in databases 11/31

  12. ITS335 Dynamic Content with Server-Side Processing Web Security Browsing Applications HTTPS Certificates Summary 12/31

  13. ITS335 What are the security issues? Web Security ◮ Data transmitted between browser and server is Browsing confidential: encryption with HTTPS Applications ◮ Browser sure it is communicating with intended server: HTTPS digital certificates Certificates ◮ Server sure it is communicating with intended user: Summary password authentication, session management ◮ Actions performed by server (engine) are appropriate: authentication, access control ◮ Actions of user (of browser) are kept private: anonymity services 13/31

  14. ITS335 Contents Web Security Browsing Web Browsing Applications HTTPS Certificates Web Applications Summary Confidential Web Communications with HTTPS Digital Certificates Summary 14/31

  15. ITS335 HTTPS Web Security ◮ HTTPS: HTTP over SSL (or TLS) Browsing ◮ URL uses https:// Applications ◮ Web server listens on port 443 HTTPS Certificates ◮ Encrypt: URL of requested document, contents of Summary document, contents of browser forms, cookies, contents of HTTP header ◮ Server is authenticated using certificate (using SSL) ◮ Client is authenticated using password (using HTTP) 15/31

  16. ITS335 SSL and TLS Web Security ◮ Secure Sockets Layer (SSL) originated in Netscape web Browsing browser Applications ◮ Transport Layer Security (TLS) standardised by IETF HTTPS ◮ SSLv3 and TLS are almost the same Certificates Summary ◮ SSL provides security services to application layer protocols using TCP ◮ SSL architecture consists of multiple protocols 16/31

  17. ITS335 SSL Architecture Web Security Browsing Applications HTTPS Certificates Summary Record: provides confidentiality and message integrity Handshake: authenticate entities, negotiate parameter values Change Cipher: change cipher for use in connection Alert: alert peer entity of status/warning/error 17/31

  18. ITS335 Connections and Sessions Web Security ◮ SSL connection corresponds with TCP connection Browsing ◮ Client and server may have multiple connections Applications ◮ SSL session is association between client and server HTTPS ◮ Session created with Handshake protocol Certificates ◮ Multiple connections can be associated with one session Summary ◮ Security parameters for session can be shared for connections ◮ State information is stored after Handshake protocol ◮ Session: ID, certificate, compression, cipher spec, master secret, . . . ◮ Connection: random values, encrypt keys, MAC secrets, IV, sequence numbers, . . . 18/31

  19. ITS335 SSL Record Protocol Operation Web Security Browsing Applications HTTPS Certificates Summary 19/31

  20. ITS335 SSL Handshake Protocol Web Security ◮ Allow client and server to authenticate each other Browsing ◮ Negotiate encryption and MAC algorithms, exchange Applications keys HTTPS ◮ Key Exchange: RSA, Diffie-Hellman Certificates ◮ MAC: HMAC using SHA or MD5 Summary ◮ Encryption: RC4, RC2, DES, 3DES, IDEA, AES ◮ Multiple phases: 1. Establish security capabilities: client proposes algorithms, server selects one 2. Server authentication and key exchange 3. Client authentication and key exchange 4. Finish setting up connection 20/31

  21. ITS335 Contents Web Security Browsing Web Browsing Applications HTTPS Certificates Web Applications Summary Confidential Web Communications with HTTPS Digital Certificates Summary 21/31

  22. ITS335 Authentication and Encryption in Web Browsing Web Security ◮ Browser and server do not have pre-shared secrets Browsing ◮ Use public key cryptography to securely exchange secret Applications key HTTPS ◮ RSA/DSA Certificates ◮ Diffie-Hellman key exchange Summary ◮ Elliptic curve cryptography ◮ Once a secret key is exchanged, use symmetric key encryption ◮ AES, RC4, 3DES, . . . ◮ E.g. with RSA: if a server sends browser its RSA public key, how does browser know it is indeed RSA public key of server? ◮ Get a trusted third party to confirm it is the servers RSA public key 22/31

  23. ITS335 Digital Certificates Web Security Step 1: Server Obtains Digital Certificate Browsing Applications ◮ Server (owner) creates key pair: ( PU s , PR s ) HTTPS ◮ Server confirms identity, ID s , with trusted third party Certificates called Certificate Authority Summary ◮ CA issues server with a digital certificate by signing relevant info: C s = ( ID s || PU s || T , E ( PR CA , H ( ID s || PU s || T )) ◮ A timestamp, T , can be used to determine how long the certificate is valid ◮ X.509 specifies standard format of certificates 23/31

  24. ITS335 Digital Certificates Web Security Step 2: Server Sends Digitial Certificate to Browser Browsing Applications ◮ When browser initiates communications with server, HTTPS server responds with C s Certificates ◮ Browser verifies signature using PU CA Summary ◮ Assumes browser already knows and trusts PU CA ◮ PU CA is stored in self-signed certificate: C CA = ( ID CA || PU CA || T , E ( PR CA , H ( ID CA || PU CA || T )) ◮ Once verified, browser can choose secret value and send it encrypted using PU s to server 24/31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin License : CC-BY-SA 4.0 Introduction What is TLS and why do I need it? TLS stands for Transport Layer Security Difference between https and

360 views • 23 slides
Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1 Table of Contents Attacks using HTTP

486 views • 25 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides
CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Le Lect cture 14 14 Public Key

857 views • 47 slides
CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense 2. HW2 - Graded and returned. 3. HW3 - How are things going? 4. Review of L03 (hash functions &amp; ciphers) 5. Public Key Cryptography 6.

757 views • 43 slides
Kerberos &amp; X.509 11

Kerberos &amp; X.509 11

Kerberos &amp; X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
PROVING WHO YOU ARE TLS &amp; THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH

PROVING WHO YOU ARE TLS &amp; THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH

PROVING WHO YOU ARE TLS &amp; THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm , that they were talking to one another. Therefore, they were vulnerable to MITM

1.64k views • 133 slides

More recommend